Module 2 COMPLIANCE FRAMEWORKS - Microsoft · PDF fileCompliance frameworks Governance...

Module 2

COMPLIANCE FRAMEWORKS

CONTENTS Introduction 2 – 1 Module objectives 2 – 1

Regulatory requirements 2 – 1 Australian Securities and Investments Commission 2 – 2

Australian Transaction Reports and Analysis Centre 2 – 2

Standards and guidelines 2 – 2 Basel Committee on Banking Supervision 2 – 2

Standards Australia 2 – 3

Key elements of an effective compliance management system 2 – 5

Enterprise-wide compliance management 2 – 6 Implementing a compliance framework 2 – 7

Implementing a compliance management system 2 – 8

Compliance maturity of an organisation 2 – 10

Complexity of compliance obligations 2 – 11

Single issue focus 2 – 12

Outsourced functions 2 – 12

Legislative change 2 – 13

Dedicated compliance staff 2 – 13

Compliance risk assessment 2 – 14

Disclosure and reporting obligations 2 – 15 ASIC Regulatory Guidance 2 – 15

Statutory requirements 2 – 15

Internal compliance reporting 2 – 15

Tools and techniques 2 – 16 Compliance management software 2 – 16

Monitoring techniques 2 – 17

Templates 2 – 18

Responsibilities of the board and management 2 – 18

Readings 2 – 21 Key readings 2 – 21

Optional readings/background references 2 – 21

Questions and answers 2 – 23

Compliance frameworks

Governance Institute of Australia / 2017 2 – 1

2

INTRODUCTION This module introduces a structured approach to an effective compliance framework as a key component of the overall governance framework. It discusses the current international Standard, ISO 19600:2014 Compliance management systems — Guidelines (ISO 19600:2014). The ISO 19600:2014 was formally adopted by Standards Australia in June 2015 and is recognised in Australia as AS/ISO 19600:2015 Compliance management systems — Guidelines (AS/ISO 19600:2015). This standard is identical to ISO 19600:2014.

The compliance framework is broader than just ensuring legal obligations to the regulatory bodies are met. It includes implementing effective steps to ensure that the organisation complies with its internal codes of practice and policies and honours its business contractual obligations.

A compliance framework, which is embedded as part of good business practice, can provide an organisation with competitive advantage; and when well implemented, is an important mechanism for achieving an organisation’s financial, operational and strategic objectives by facilitating execution of legal obligations and ensuring a due diligence defence in the event of a breach occurring.

The compliance framework needs to be implemented and managed as far as possible on an enterprise-wide basis to achieve optimal value and efficiency; and the organisation’s compliance risk appetite should be consistent with its overall risk appetite. Its business objectives and strategy, guided by the board and implemented by management, should be developed to operate within its compliance framework and risk appetite.

A copy of the ISO 19600:2014 or AS/ISO 19600:2015 is not required for completion of this module. The course materials are sufficient to complete the assessment.

Module objectives • To apply the compliance elements in international Standard ISO 19600:2014 Compliance

management systems — Guidelines • To develop an effective compliance framework

• To appraise the methodologies used for monitoring and reporting on compliance • To consider the compliance responsibilities of the board and management

Linkage with other modules Compliance frameworks provide core concepts relevant to all parts of this subject, and a working knowledge of the framework concepts will assist students in the practical implementation of various parts of the other modules. It also utilises concepts from other modules to explain how to practically approach a compliance framework. For example, project governance concepts are found in the discussion on compliance management software in this module; and it draws from Module 1 in relation to the compliance risk assessment concepts and the link between compliance risk to organisational strategy and risk profiling needs.

REGULATORY REQUIREMENTS The regulators are the primary source of guidelines on compliance principles and practices and provide comprehensive information on establishing effective compliance frameworks. In Australia, compliance regulation is not new, the original Australian Standard AS 3806–1998 Compliance programs was superseded by AS 3806–2006 Compliance programs. The current standard AS/ISO 19600:2015 supersedes AS 3806–2006.

Risk and Compliance

2 – 2 Governance Institute of Australia / 2017

Australian Securities and Investments Commission The formal, legal requirement for a compliance framework originated in the banking and financial services sector in the late 1990s, initially where a trustee of a managed investment scheme was required to have in place a method to demonstrate how it would comply with its legal obligations under the Managed Investments Act 1998 — this was a documented compliance statement that was required to be lodged with the regulator, and subject to an annual, statutory external audit.

This was carried forward and extended under the reforms to the Corporations Act 2001 (CLERP 9 and the Financial Services Reform Act), and created a general obligation for all financial services licensees to have in place ‘adequate risk management systems’.

As part of the formal licensing process, the organisation is required to evidence to the Australian Securities and Investment Commission (ASIC) its compliance framework to meet the licensing obligations and how it will meet the product and service authorisations contained on the license, within the scope of the risk management system.

ASIC’s regulatory guides (RG), detail its compliance framework requirements:

• RG 62 — Better disclosure for investors

• RG 68 — New financial reporting and procedural requirements

• RG 104 — Licensing: Meeting the general obligations • RG 132 — Managed investments: Compliance plans These RGs are cited under the Optional readings at the end of this module and are accessible at www.asic.gov.au.

To further embed the requirements, the annual statutory audit of financial services licensees specifically covers the licensee’s compliance with all of the general obligations of its licence, and the regulator itself undertakes periodic, targeted reviews of the adequacy of licensees in meeting these requirements.

Australian Transaction Reports and Analysis Centre The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s intelligence unit with regulatory responsibility for anti-money laundering and counter-terrorism financing.

AUSTRAC administers The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). The AML/CTF Act requires reporting organisations to identify, mitigate and manage the risk of their products and services potentially facilitating money laundering or terrorism financial activities. The AML/CTF Act uses the term AML/CTF program and requires the appointment of an AML/CTF compliance officer within the organisation). Details are at www.austrac.gov.au.

STANDARDS AND GUIDELINES Industry standards and guidelines are an important consideration when developing and implementing a cohesive and effective compliance framework. The Basel Committee on Banking Supervision and Standards Australia provide the main formalised compliance standards and guidelines.

Basel Committee on Banking Supervision In April 2005, the Basel Committee on Banking Supervision, part of the Bank for International Settlements (BIS), published a paper ‘Compliance and the Compliance Function in Banks’. The objective of the paper was to facilitate and enhance sound compliance practice in banks, however, its principles are applicable across all industries.



2

The Basel Committee established ten principles of compliance. Principles 1 and 2 state the recommended responsibilities of the board of directors and senior management; the remaining principles deal with various other key issues of the compliance function, including:

• independence • resources • compliance function responsibility • relationship with internal audit • cross-border issues; and • outsourcing. The Basel paper is cited as a Key reading for this module.

In August 2008, the Basel Committee released its follow-up report and findings, ‘Implementation of the Compliance Principles: A Survey’. The report assessed the degree to which the compliance principles had been implemented. This report is available on the BIS website and is provided as an Optional reading at the end of this module.

The report found that the principles it had recommended had been effectively adopted and it was overall satisfied with compliance frameworks being put in place. Since then, global regulatory investigations and record fines suggest that shortcomings remain in the compliance framework and implementation practices of a significant number of global financial institutions, notably in the US and UK/Europe.

Standards Australia ISO 19600:2014, is the first international Standard governing compliance management. As stated in the Introduction, ISO 19600:2014 was formally adopted in June 2015, by Standards Australia as AS/ISO 19600:2015.

AS/ISO 19600:2015 is identical to and was revised and re−designated by the Standards Australia Committee from ISO 19600:2014. The duplication is evidenced by the fact that references to the international Standard have not been replaced with the words ‘Australian Standard’. AS/ISO 19600:2015 is considered to be the Australian and international benchmark for compliance management systems. This makes it relevant for Australian companies with global operations that want to develop a compliance framework that meets international, cross-jurisdictional standards.

ISO 19600:2014 states:

‘in a number of jurisdictions, the courts have considered an organisation’s commitment to compliance through its compliance management system when determining the appropriate penalty to be imposed for contravention of relevant laws.’

Structure of ISO 19600:2014 Many organisations, prioritise their legal and regulatory obligations, however ISO 19600:2014 makes it clear that the concept of compliance is much more expansive and extends to obligations such as those set out in an organisation’s standard operating procedures, including contractual, organisational (obligations arising from policies, procedures and risk treatment) as well legal and regulatory obligations. The structure of ISO 19600:2014 sets out the seven key organisational elements that are required to support compliance, these are:

1 context of the organisation

2 leadership

3 planning

4 support

Risk and Compliance


5 operation

6 performance evaluation

7 improvement

ISO 19600:2014 uses a high-level structure, that is clause sequence, common text and common terminology, to align it with other ISO management systems, for example, ISO 9001:2008 Quality management systems and ISO 14001:2015 Environmental management systems — Requirements with guidance for use. This makes it easier for an organisation that has not adopted management system standards or a compliance management framework to adopt the international Standard as a stand-alone guidance within their organisation.

The Standard does not specify requirements, but provides guidance on compliance management systems and recommended practices. The guidance is intended to be adaptable, and how it is used can differ depending on the size and level of maturity of an organisation’s compliance management system and on the context, nature and complexity of the organisation’s activities, including its compliance policy and objectives. ISO 19600:2014 is based on the principles of good governance, proportionality, transparency and sustainability.

ISO 19600:2014 provides a risk-based approach to compliance management that is aligned with ISO 31000:2009 Risk management — Principles and guidelines. Based on this risk-based approach, obligations with high compliance risk will be prioritised and allocated the majority of management focus and controls. This approach ensures the right focus is allocated to compliance management efforts.

ISO 19600:2014 places emphasis on compliance as being embedded in the culture of the organisation and states that compliance is to be ‘integrated with the organisation’s financial, risk, quality, environmental and health and safety management processes and its operational requirements and procedures’. It makes it clear that compliance is a responsibility of an organisation’s governing body, and not a mere function of the organisation.

Key definitions in ISO 19600:2014 are:

• Compliance requirement — requirement that an organisation has to comply with.

• Compliance commitment — requirement that an organisation chooses to comply with.

• Compliance obligation — compliance requirement or compliance commitment.

• Compliance — meeting all the organisation’s compliance obligations.

• Compliance function — person(s) with responsibility for compliance

• Management system — set of interrelated or interacting elements of an organisation to establish policies and objectives and processes to achieve those objectives.

A key distinction the Standard draws is the difference between a compliance requirement and a compliance commitment, with a compliance obligation including both requirements and commitments.

In the Optional readings article, New international compliance standard launched, published in December 2014, Clayton Utz outlines the ISO 19600:2014, requirements Australian organisations should be aware of:

• consider compliance obligations which are mandatory, for example, legislation, licences and permits and voluntary, for example, internal codes of conduct, industry codes

• ensure your compliance management system is planned and developed within the context of your organisation’s commercial environment, objectives, strategic direction and organisational values

• the express list of the kinds of documentation which must be present to support the compliance management system

• adopt a risk-based approach to compliance and in particular, develop an organisational risk appetite for legal compliance risks



2

• integrate your compliance management system with your business processes

• align your operational targets with compliance obligations

• ensure your organisational culture and the actions taken by your leaders promote a compliance culture

• engage with external and internal stakeholders to determine their compliance expectations of your organisation.

The article also notes that Australian organisations compliant with the superseded AS 3806–2006 should not expect any substantive effort to meet the ISO 19600:2014 requirements.

KEY ELEMENTS OF AN EFFECTIVE COMPLIANCE MANAGEMENT SYSTEM An organisation’s values, ethics and culture are the core drivers that influence the direction of an organisation’s compliance framework. The reason many compliance management systems fail, is the inability of the organisation to develop an effective management framework to manage the many elements of the compliance function.

Business objectives and functions provide the foundation for understanding and embedding compliance policy and processes into business operations. Within this context, Figure 1 — Flowchart of a compliance management system, is set out in AS/ISO 19600:2015 and is consistent with other management systems and based on the continual improvement principle (Plan-Do-Check-Act).

Figure 1 — Flowchart of a compliance management system

Source: Australian Standard Compliance Management System – Guidelines.

Risk and Compliance


Figure 2 — Compliance framework, is an example of how the many elements of the compliance principles are translated into a business environment. It illustrates the key elements of an effective compliance framework, how they interrelate and how it is linked to the organisation’s ethics, code of conduct and its business objectives.

Figure 2 — Compliance framework

Source: KPMG

Question A What would need to be in place for an organisation to be able to demonstrate its commitment to effective compliance?

ENTERPRISE-WIDE COMPLIANCE MANAGEMENT Enterprise-wide compliance management refers to an organisation’s management of compliance as a cohesive and coordinated response across its legal obligations, such as workplace health and safety laws; its internal codes of practice, such as the employee code of ethics and its contractual obligations.



2

Compliance managed on an enterprise-wide basis has a clearly defined compliance policy and framework. This compliance policy and framework is typically coordinated with the risk management framework and there is a well-established culture of compliance in the organisation’s policies, procedures and controls. Enterprise-wide compliance management relies upon compliance reporting which incorporates:

• material breaches, system breakdowns or areas of concern or potential exposure, for example, nondisclosure to clients, poor machinery or equipment, inadequate waste discharge testing

• achievement against key performance indicators

• results of compliance reviews or inspections/audits that are relevant to compliance obligations

• information about the external regulatory/compliance environment, such as new legislation, changes to existing law or changes to enforcement policies. Legislation impacts on multiple areas of an organisation. Many forms of legislation have common features that need to be implemented across all or parts of an organisation.

The approach taken to implement and manage a compliance framework will depend on a number of factors, including:

• level of maturity of the organisation

• complexity of the organisation

• extent to which it decides to integrate compliance and other governance functions, for example, risk, finance, company secretariat and legal

• regulatory environment in which it operates.

Enterprise-wide compliance management can also be used to implement and manage organisational policy and procedure, where it is common to the whole organisation. Examples include people management policies, ethics and fraud prevention, complaints handling procedures and recruitment practices.

Implementing a compliance framework In order to establish an effective and robust compliance framework, it is important that it is implemented appropriately. The strategic framework must be agreed upon. This requires consideration of the following questions:

• What does compliance mean to the organisation? • How will it deliver against the organisation’s business objectives? • What are the key drivers to delivering value? • What model will be used? These matters require discussion with the board, senior management and consideration of the wider culture and organisational structure. The compliance framework should cover the following aspects of the organisation:

• structure • integration approach • reporting requirements • lines of responsibility • compliance obligations • policies and procedures • training

Risk and Compliance


• breach identification, reporting, management and remediation • compliance awareness and culture. While compliance frameworks have common attributes, it is critically important to consider the structure, culture and context of the organisation when developing a compliance framework. A good compliance framework should fit the organisation and be tailored to the particular needs of the organisation and its business.

Implementing a compliance management system Rule identification and analysis • Identify relevant legislation and regulatory Standards/guidelines, industry codes and principles,

organisational rules and policies, key contractual obligations. • Summarise the information found from the analysis of the material identified. • Analyse to identify key legal obligations/rules. • Map to relevant business functions and processes.

Risk assessment Perform compliance risk assessment to determine priority of the compliance obligations — this will largely determine where the majority of effort will be focused to achieve compliant outcomes.

Development of compliance policy and compliance risk management plans The compliance policy should include an aspirational statement of what compliance means to the organisation — for example, that it is a core value and that the organisation aims to fully meet its regulatory obligations at all times. Documentation of the compliance policy is a key reference resource for the deployment of the compliance framework — it anchors the other supporting compliance activities. Often, the compliance policy is endorsed by the board demonstrating the importance of the framework to the organisation. In certain industries, such as financial services, it is a mandatory requirement that the board endorses the policy and/or framework.

The compliance policy document should:

• describe the process and key controls • define oversight roles and responsibilities • specify tools available and those that must be used for consistent reporting requirements and

obligations. The compliance risk management plan should:

• identify, document and assess residual risk and existing compliance controls • develop action plans for enhancement of deficient and development of new controls.

Allocation of responsibility There should be an allocation of board, management and employee responsibility for all relevant aspects of compliance (including agents and suppliers or outsourced service providers). In addition, operational procedures manuals should be updated where necessary. As with any organisational policy, delegation of ‘ownership’ of the policy should be clear. The policy owner would usually have responsibility for periodic review of the policy and for the monitoring of adherence to the policy.



2

Training and assessment The development of any policy requires a plan that will ensure the implementation of that policy. The training and implementation plan accompanying the policy document ensures that the policy will be adhered to in the operational activities of the business. This would typically include the following steps:

• conducting a training needs analysis • identifying existing training and awareness programs to maximise the potential of embedding

compliance training, and minimising the need for specific and separate compliance training • developing training delivery to address initial, continual and one-off training requirements • developing assessment and recording processes, especially for mandated training.

Monitoring performance Policy documents on their own do not ensure compliance with the business policies. In addition to training and development of ongoing education about the compliance policy, the final and key stage to implementation of the compliance framework is to develop appropriate monitoring and reporting of the adherence to the framework. This includes the following steps:

• developing monitoring programs which consider the appropriate mix of controls self-assessment, internal assurance and external assurance

• allocating responsibility for monitoring

• developing the process and system for recording results of monitoring

• developing the process for reporting, assessment and escalation of breaches and potential breaches

• developing the process for identification of continuous disclosure impacts

• monitoring risk management status to identify potential compliance impacts and changes to residual compliance risk profile.

Remedial actions In the event that the monitoring of compliance arrangements identifies breaches of the policy or other compliance failures, action will be needed to resolve the failures. Often, a compliance failure may be a one-off incident. However, there may be occasions where repeated failures of compliance fall into the systemic category (ongoing, same or similar failure of a control or set of controls). Whether a failure is one-off or systemic, the failure requires investigation to determine if additional mitigation arrangements need to be implemented, or if targeted or additional training/awareness may resolve the issue.

Remedial actions involve the following steps:

• developing the process for management and reporting of remedial actions • developing the process for meeting continuous disclosure obligations.

Management information Producing management information on the organisation’s adherence to the compliance policy and procedures is a key part of ensuring that information on compliance activity is reviewed. Review of aggregated information by the board and senior management should extend to both the positive outcomes of a compliance management system (how well the organisation complies with legislation, internal codes and policies and contract obligations), and the negative outcomes (instances where breaches or compliance failures have occurred).

Risk and Compliance


Producing compliance management information involves the following steps:

• developing compliance reporting for management and board reporting that adds value to decision-making; typically, standard content for consistency of how information is presented in reports maximises its value

• identifying key compliance behavioural drivers and indicators (lead and lag) and building these into reporting

• developing breach and remedial action reporting.

Updates and advisory information All business activities are dynamic and require supporting processes to ensure that appropriate changes to processes and controls occur in a timely manner. The development of a periodic review of existing compliance processes to ensure that they remain in step with obligations, and establishing clear responsibility for the ongoing ownership of maintaining compliance structures that match external and internal needs, is critical. Assigning ownership of compliance management to individuals establishes accountability.

Maintenance of a compliance management system would be supported by the following steps:

• developing the process for identification of new or changed compliance obligation and the associated business changes required to meet those new or changed obligations

• developing the process to properly analyse and assign responsibility for actioning changes • advising the business on implementation of changes including review of controls, monitoring and

reporting of change management, and business acceptance testing • updating the compliance management system and advising board, management and employees.

Compliance maturity of an organisation The level of compliance maturity of an organisation — either as a whole, or one or more relevant business areas, will also be a determining factor in the implementation approach. Figure 3 — Compliance maturity model, demonstrates the stages and different characteristics of compliance frameworks as organisations move through the maturity development process. Organisations starting out in developing a compliance framework will typically be at the chaos or reactive stage.

According to the Hackman model, a complex business operating in the Quadrant 3 or 4 environment needs to be operating at ‘active’ or above to have a high level of confidence that it is operating in a continuously compliant state.



2

Figure 3 — Compliance maturity model

The approach taken in implementing a compliance framework will be affected by characteristics of the particular industry the organisation operates in.

Complexity of compliance obligations In Key reading 3, ‘Fit for purpose: Strategies for Effective Implementation of Regulations’, Dr Katarina Hackman provides a model — Approaches to implementing regulatory change — for determining the appropriate strategic response to implementing regulation, based on an analysis of complexity and duration.

In applying Hackman’s model, it is also important to consider whether a regulation should be implemented on a ‘silo’ basis, that is, in stand-alone fashion, or whether the effort should be co-ordinated with other regulation with similar impact and features. Hence, what may initially appear to fit Quadrant 2 in Hackman’s model (longer-term, lower complexity changes) when assessed on a stand-alone basis may actually be better assessed as Quadrant 3 or 4 (longer-term and shorter-term higher complexity changes, respectively) when assessed in conjunction with other similar regulatory requirements impacting the organisation.

A good example is compliance with the AML/CTF Act. Many organisations initially implemented infrastructure and process specifically for the AML/CTF Act. However, many organisations have since realised that some of the requirements are similar to those required under other legislation, such as the know your customer requirements, employee screening and record keeping — losing the opportunity to leverage across prior experience in implementation and structure of compliance requirements.

Risk and Compliance


Examples of similar requirements can be found in economic and trade sanctions, changes to workplace health and safety law, and the need for compliance by the banking and financial services sector to the Foreign Accounts Tax Compliance Act (FATCA) (US). This latter law is the forerunner to an OECD-driven global set of rules being developed to prevent cross-border tax evasion. In Australia, the majority of organisations impacted by FATCA designed their compliance management system to enable it to be leveraged for the impending broader global requirements (a replicable compliance framework).1

Single issue focus An issue that often arises is when an organisation focuses specifically on the legislation that most impacts its business, and fails to address all relevant compliance obligations it is impacted by in a coordinated and enterprise-wide manner. For example, financial services organisations typically implement robust compliance frameworks in order to comply with the Corporations Act. However, other obligations are often left to the relevant operational management and are not subject to the same level of independent compliance involvement as corporate and financial services compliance. In many cases, compliance with contractual obligations that an organisation is party to are often not well identified within the compliance framework.

What often leads to this situation is a belief that the head of compliance is not qualified to have oversight of other compliance obligations, or the board and senior management have not given sufficient focus to their overall compliance responsibilities.

Under an effective enterprise-wide compliance framework, the head of compliance is not required to be an expert in every business function or activity, nor responsible for the detailed compliance implementation and supervision. However, the head of compliance would be expected, on behalf of the board, to review and report on whether the various other legislative requirements have been identified, are appropriately assigned to management and are monitored by suitably qualified, experienced and independent functions. Two common examples are workplace health and safety, and environmental law obligations, particularly where reporting is required to government bodies.

Outsourced functions Another common issue is where there is a dependence on an external, or outsourced, function. Often overlooked by boards and senior management is the fact that they remain liable for any compliance failure, regardless that it occurs at, or is caused by, an outsourced function. Hence, it is important that compliance is considered at the earliest stages of planning and implementing any outsourced activity.

Outsourcing agreements should always include specific compliance measures that impose compliance standards, monitoring rights, performance and breach reporting, and break rights (the right to terminate the contract in the event of a significant breach). Certain regulatory bodies, notably the Australian Prudential Regulation Authority (APRA), specifically require (in addition to the points above) that, if an outsourcing contract is material, the entity that is outsourcing must consult with the regulator prior to entering into the contracted service.

1 A replicable compliance program occurs when a compliance program is created to address one set of obligations, and is

then re-used to achieve compliance for another, or new, set of obligations. A typical example is the program original

created for AML/CTF law that were then re-used for the economic and trade sanctions rules as there are many similar

features across the rules — this is currently being re-used for a further program (FATCA) again that has a number of

similar features and information requirements.



2

Even where there is no formal or legal requirement to manage compliance when services are outsourced, good business practice suggests that a formal agreement to protect the organisation is imperative. For example, in the event of a failure or major incident, significant reputational damage can be incurred if an outsourced arrangement fails. Incidents such as BP outsourcing various parts of its oil rig operations on its Gulf of Mexico platform did not protect BP from significant litigation and reputation damage when the drilling platform caught fire and resulted in numerous deaths on the platform and a major oil spill.

Importantly, many organisations do not consider outsourcing risk and compliance requirements when the activity is being outsourced to another part of the same organisation, albeit in a different business area — from a regulatory requirements perspective, no distinction is made by either APRA or ASIC; and from a commercial view no distinction should be made — an outsourced activity should be considered on the same basis irrespective of whether it is with a related body corporate or a wholly external party and be subject to the same level of compliance measures.

Legislative change A critical requirement for effective compliance framework is an efficient and reliable system to track legislative change. For a basic compliance framework, it is often sufficient to rely on freely available legal updates provided by the majority of law firms to their client as part of relationship maintenance; and these can be supplemented with various public domain online services.

However, as soon as the level of complexity in the compliance framework increases, such as multiple business functions and business units, expansion of the business from one line of service or product, multi-industry operations or operating in multiple countries, it becomes higher risk to rely on ad-hoc legal updates. To avoid potential information gaps, it is recommended that a structured approach to receipt of legal updates and other relevant compliance information is developed.

A further issue is whether the organisation’s compliance function is equipped to monitoring legislative requirements and the external compliance environment. This can be extremely labour intensive with high volumes of information being received on a constant basis. Not only must it be received and assessed, it often requires expert legal interpretation and responsibility for actioning changes needs to be formally assigned throughout the organisation. An organisation might consider assigning responsibility to its own legal department or contracting an advisory service to monitor legislation and provide regular, tailored updates.

Dedicated compliance staff In the banking and financial services sector there are specific compliance personnel requirements, such as the requirement for an AFS licensee to nominate, responsible managers. However, these are not specifically compliance staff. The AML/CTF Act requires a reporting entity to appoint an AML/CTF compliance officer and similarly, this occurs in the Privacy Act which requires a nominated person be appointed as the organisation’s privacy officer.

It is likely that most small to medium-sized organisations will not have a dedicated compliance officer or manager if they are not operating in a highly regulated environment. It is usual in such organisations to assign compliance responsibilities to one or a number of managers, such as the general counsel or company secretary. Larger and more complex organisations will typically have dedicated compliance resources. Often, these will be combined with either the legal or risk functions.

For enterprise-wide compliance to receive adequate attention and support, and for there to be the level of independence of reporting appropriate in the current corporate and legal environment, there should be a person of appropriate seniority designated as the compliance manager, who should, at a minimum, report to a direct report of the chief executive officer, and have direct and confidential reporting access to the board or a board committee with responsibility for compliance obligations.

Risk and Compliance


Question B Does your organisation have an effective compliance framework in place? What are the key compliance risks that have been identified? Are the roles and responsibilities clearly identified and key processes and action plans clearly articulated?

COMPLIANCE RISK ASSESSMENT Efficient and cost effective management of compliance requires the utilisation of a risk management methodology. In relation to risk management from a compliance perspective, an organisation should not ignore legal obligations that it might consider to be of little importance to it. What might appear routine or low level obligations, such as, the need for illuminated exit signs, can have significant consequences if ignored. Rather, the organisation should consider utilising risk management techniques to identify where compliance failure might have the highest impact of severity, and where operationally it is most likely that a failure may occur. That information can assist the organisation to allocate its scarce resources to the areas of greatest need.

The factors that should be used to undertake compliance risk assessment include, the:

• likely or possible consequences of non-compliance, for example death or injury, property damage or financial loss

• size of any criminal and/or civil penalties or sanctions that may be imposed as a result of non-compliance

• affect of non-compliance on the capacity of the organisation to continue to operate if, for example, certain breaches would possibly lead to a loss of an operating license

• potential for individuals to be held personally liable for compliance breaches • affect of non-compliance on the company’s brand, reputation and general community standing. For a useful guide to assessing breaches, review ASIC RG 78: Breach Reporting by AFS Licensees. Although designed for the banking and financial services sector, it provides an overarching set of principles that can be adapted for any industry to assess the significance of a breach.

Question C Consider how compliance risk assessment is undertaken at your organisation.



2

DISCLOSURE AND REPORTING OBLIGATIONS Many organisations face significant continuous or on-going disclosure obligations. It is therefore necessary that the organisation’s compliance framework incorporates controls, processes and monitoring procedures to ensure that disclosure obligations are met at all times.

ASIC Regulatory Guidance ASIC RG 62: Better disclosure for investors, recommends practical steps that a listed company can take to ensure that it meets both the letter and spirit of the continuous disclosure rules embedded in the Corporations Act and ASX Listing Rules.

Statutory requirements Issuers of financial products are subject to detailed product and ongoing disclosure requirements under the Corporations Act, as well as other laws relevant to specific industries or activities. The breadth of these requirements are being continuously extend, for instance the National Greenhouse and Energy Reporting Act 2007 imposes stringent reporting obligations on organisations that produce or emit greenhouse gases at or above thresholds outlined in the legislation. Similarly, the AML/CTF Act imposes stringent reporting obligations for entities that are subject to it.

For companies listed on ASX, Listing Rule 3 specifically deals with the continuous disclosure obligation for companies to ensure that the market and investors are kept informed of activity that would reasonably be expected to have a material effect on the share price of the company (there are also specific exclusions contained in the rule); and the Rule is accompanied by Guidance Note 8 which provides examples of disclosure. Compliance failure for this Rule carries significant penalties for directors and officers of the company, and can have adverse impacts on the company’s share price more broadly, and often forms the basis of class action law suits.

Internal compliance reporting To be effective and to add value, internal compliance reporting needs to address the issues and information that is appropriate for the management or board/governing body to which it is addressed, and contribute towards the organisation’s achievement of its business objectives. It should also be clearly linked to supporting the organisation’s code of conduct and ethics.

A basic element of compliance reporting is the provision of timely information on any breaches that have occurred, including:

• information about the compliance obligation breached and the circumstances of the breach • actions being taken to redress the breach • expected resolution date (if the date changes, an explanation of why and how it is appropriate) • whether a notification to a regulator is required (with an explanation of why/why not). Reporting should also be aligned with the organisation’s desired cultural goals, such as seeking to encourage more open and transparent reporting. Effective compliance reporting is a result of a culture of openness and ongoing dialogue with the report recipients, and should constantly evolve in line with the evolution of the organisation’s compliance maturity and business objectives.

To achieve this, the focus of the reporting should be on the root cause of the issue and its solution, rather than a ‘who is to blame’ approach — this directly contributes to the compliance culture and behaviour of individuals within the organisation.

Risk and Compliance


Internal compliance reporting should include the following elements:

• exception reporting based on the compliance risk appetite of the committee/board, covering in particular:

– breaches, incidents, system breakdowns and the root cause of each instance

– behaviour drivers such as training completion, complaints data and whistle-blower management

• emerging compliance risks • significant external regulatory actions and/or developments that may impact the business or

indicate a regulatory compliance focus area • actions to address compliance breaches and risks and the timetable to resolution • if resolution of an issue is to be delayed or take longer than expected, the rationale for that

change of timetable needs to be provided.

TOOLS AND TECHNIQUES An effective compliance framework needs to have appropriate implementation and monitoring systems in place, such as compliance management software, monitoring techniques and templates.

Compliance management software There is a wide array of compliance management software available, ranging from software designed to manage broad legal obligations, including controls identification and workflow contracts, self-assessment and reporting, through to those designed for specific legislative compliance, such as workplace health and safety, emissions reporting and supply chain management. There are also systems designed to embed or align internal controls, risk management and compliance into the processes that run the business.

Compliance software should not be seen as an easy path to implementing a successful compliance framework, but it can provide an effective means to map and generate information, reports and data needed to support compliance. In deciding whether to utilise a software application, consideration of the following needs to be taken into account, the:

• complexity of the particular organisation, including the processes already in place

• cost effectiveness of utilising a systemised approach versus existing methods

• culture and level of sophistication of the organisation, its management and its board

• behavioural changes the organisation is striving for and whether an IT application will enhance that or otherwise

• defined outcome to be achieved — this manages expectation as to what a system can deliver.

Selecting and implementing a compliance software solution Considerations when selecting and implementing a compliance software solution include:

• Design organisational architecture — should it be sorted by legal entity, business units or functional teams, and why?

• Is the compliance structure centralised or de-centralised? • What level of access will be given to employees, management, compliance staff, legal staff,

auditors, to enter and edit information, view information, create reports?



2

• Is a combination of all or some of the following required? – compliance obligation lists

– breach reporting

– resolution plan

– training and awareness

– management reporting

– legislative updates.

• What information is required to populate management and board reports? • Should compliance be combined with risk management? • What is the acceptable trade-off between system sophistication and functionality for compliance

staff versus ease of use for operational staff required to input information? • What reference sites can be accessed?

Monitoring techniques Organisations can employ a range of monitoring techniques which are discussed below.

Checklists Checklists can be particularly useful for very detailed and legalistic areas where close monitoring of compliance with specific requirements is important. However, many organisations with a mature compliance culture are trending away from the use of checklists as a monitoring tool. Instead, they are being used as a reference tool to support more operationally-focused control assessments.

Controls self-assessment Controls self-assessment (CSA) is a process of obtaining verification from staff and management that the controls which have been implemented to give effect to compliance obligations are in place and operating effectively.

When used effectively, and with the input of staff and management in their design, these can be useful in engaging employees in embedding compliance within the organisation. It is important to keep a CSA process simple and easy to achieve acceptance — the more complicated the process is, the higher the level of disengagement.

Independent compliance reviews This refers to the re-testing of compliance by third parties that are independent of staff and management responsible for application of controls. Reviews can range from sampling of CSA responses to independent testing of controls by compliance staff or internal audit, through to reviews or audits by external compliance specialists or auditors.

Process automation Process automation involves compliance controls being built into automated systems with alerts triggered by exceptions or system breakdowns.

Risk and Compliance


Compliance checks built into workflow processes Typically, manual processes can have compliance check points built in. This is especially relevant for highly manual processes with high compliance impacts for failure, such as marketing and disclosure documentation preparation, or the provision of investment or product advice to retain customers.

Question D What compliance monitoring techniques are utilised in your organisation?

Templates The development of templates for regulated activities and transactions are a key compliance tool. However, when templates are adopted for use, it is important to develop effective version controls and processes to train users to keep templates updated, and to withdraw or prevent access to superseded templates.

Templates can also be employed for compliance reporting to encourage open and transparent reporting of compliance incidents and breaches, whiles also reducing risk of creating damaging documentation.

There is no one right answer as to what tools and techniques are preferable, or achieve a better compliance outcome. Importantly, IT systems for compliance, as with any other usage, are not always the right solution for an organisation — referencing ISO 19600:2014, organisations need to consider what is the best fit for their size and complexity, the compliance maturity of the organisation and whether a manual or automated solution to manage a compliance framework would best achieve the needs of the organisation and its strategy.

RESPONSIBILITIES OF THE BOARD AND MANAGEMENT The responsibility for an organisation’s compliance with the law lies ultimately with the board of directors or governing body. Table 3 — Allocation of compliance responsibilities, illustrates the typical allocation of compliance responsibilities across relevant roles in an organisation, however, the board retains legal accountability.



2

Table 3 — Allocation of compliance responsibilities

Role Compliance responsibilities

Compliance manager Completeness and appropriateness of controls to manage obligations; framework structure and reporting.

Risk manager Facilitates compliance risk assessment.

Legal staff Provide expert advice and interpretation of regulatory requirements (may also be a compliance resource).

HR staff Culture initiatives, WHS certification, employment obligations (including screening processes of employees).

Operational managers Certify compliance activity has occurred.

Controls self-assessment owners.

Operation of fraud controls.

Internal audit Adequacy of control design, results of testing.

External experts Provide independent review, assessment and opinion of compliant outcomes.

Many organisations refer to the practice of providing a certification, sign-off or opinion as assurance. Assurance is a statement to confirm that an activity has been undertaken as expected, for example in accordance with a required policy, legal obligation or contract term.

Question E How are responsibilities for compliance assigned in your organisation? Do you consider they are appropriate based on what you have learned in this module?

Risk and Compliance


NOTES



2

READINGS The readings are reviewed for currency and relevance. Their inclusion is based on these factors, not on their date of publication.

Key readings Basel Committee on Banking Supervision 2005, ‘Compliance and the compliance function in banks’.

Donselaar A, 2007, ‘Why Compliance Programs Fail: The Need for Effective Frameworks’, 3 Compliance & Regulatory Journal, Australasian Compliance Institute, pp 15–23.

Hackman K, 2008, ‘Fit for Purpose: Strategies for Effective Implementation of Regulations’, 5 Compliance & Regulatory Journal, Australasian Compliance Institute, pp 33–38.

Optional readings/background references ASIC 1998, ‘RG 68 New financial reporting and procedural requirements’, www.asic.gov.au/regulatory-resources/find-a-document/?page=18&filter=Regulatory+guide.

ASIC 1998, ‘RG 132 Managed investments: Compliance plans’, www.asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-132-managed-investments-compliance-plans/.

ASIC 2000, ‘RG 62 Better disclosure for investors’, www.asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-62-better-disclosure-for-investors/.

ASIC 2007, ‘RG 104 Licensing: Meeting the general obligations’, www.asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-104-licensing-meeting-the-general-obligations/.

ASIC 2012, ‘Adequacy of risk management systems of responsible entities’, Report 298, www.asic.gov.au/regulatory-resources/find-a-document/reports/rep-298-adequacy-of-risk-management-systems-of-responsible-entities/.

Basel Committee on Banking Supervision 2008, ‘Implementation of the compliance principles — A survey’, www.bis.org/publ/bcbs142.htm.

International Standards Organisation, ISO 19600:2014, Compliance management systems, www.iso.org/iso/catalogue_detail?csnumber=62342.

Kaminski P and Robu K 2016, ‘A best practice model for bank compliance’ Article of McKinsey& Company, January, www.mckinsey.com/business-functions/risk/our-insights/a-best-practice-model-for-bank-compliance.

Sandford N and Mohlenkamp M 2015, ‘Building world-class ethics and compliance programs: Making a good program great’, Deloitte Touche Tohmatsu, www2.deloitte.com/us/en/pages/risk/articles/building-world-class-ethics-and-compliance-programs-making-a-good-program-great.html.

Utz C, 2014, ‘New international compliance standard launched’, www.claytonutz.com/knowledge/2014/december/new-international-compliance-standard-launched#.WFDdEuuYH0s.email.

Whyntie P D, 2007, ‘Effective Direction of Compliance from the Board — A Director’s Survival Guide’, 2 Compliance & Regulatory Journal, Australasian Compliance Institute, pp 39–44.

Risk and Compliance


NOTES



2

QUESTIONS AND ANSWERS

Situation 1 You have recently been recruited as compliance manager for Chadwick Industries Limited. Your first task is to write a report, which explains to the board the requirements for the organisation to demonstrate its commitment to effective compliance.

Propose the areas that you will reference in your report to the board.

Situation 2 The chair of your organisation has asked you to prepare a report on the effectiveness of the compliance framework, following evidence that management does not seem to be particularly engaged in the ownership of compliance.

Specify the key elements that need to be included in the report.

Risk and Compliance


NOTES

Module 2 COMPLIANCE FRAMEWORKS - Microsoft · PDF fileCompliance frameworks Governance...

Documents

Transcript of Module 2 COMPLIANCE FRAMEWORKS - Microsoft · PDF fileCompliance frameworks Governance...